Each time Elastic Desktop Service (EDS) receives an HTTP or HTTPS request, the EDS system verifies the identity of the requester based on the signature in the request. Alibaba Cloud uses an AccessKey pair to perform symmetric encryption and verify the identity of the requester.
Overview
You must add a signature to a remote procedure call (RPC) API request in the following format:
https://Endpoint/?SignatureVersion=1.0&SignatureMethod=HMAC-SHA1&Signature=CT9X0VtwR86fNWSnsc6v8YGOjuE%3D&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cfParameter description:
- SignatureMethod: the method that is used to calculate the signature. Set the value to HMAC-SHA1.
- SignatureVersion: the version of the signature algorithm. Set the value to 1.0.
- SignatureNonce: a unique, random number that is used to prevent replay attacks. You must use random numbers for each request. We recommend that you use UUIDs.
- Signature: the signature that is generated after the request is symmetrically encrypted by using the AccessKey secret.
Calculate the hash-based message authentication code (HMAC) value of the
StringToSign based on RFC 2104. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. In
this example, the Java Base64 encoding method is used. Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign)) )Note When you calculate the signature, the key value that is defined by RFC 2104 is the
AccessKey secret followed by an ampersand (&) whose ASCII value is 38. For more information, see Obtain an AccessKey pair.
Step 1: Create a signature string
- Create a canonicalized query string by using parameters in a request.
- Specify parameters in the request, including all common and operation-specific parameters,
in alphabetical order. The Signature parameter is excluded from the request.
Note If you use the GET method to submit a request, the parameters that follow question marks (
?) and are connected by ampersands (&) in the request uniform resource identifier (URI) are request parameters. - URL encode the parameter names and values of the request based on UTF-8. The following
table describes encoding rules.
Character Encoding rule Letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) None Other characters These characters are encoded in the %XYformat.XYindicates the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as%22.Extended UTF-8 characters These characters are encoded in the %XY%ZA…format.Spaces Spaces are encoded as %20, instead of plus signs (+).This encoding method is different from the Multipurpose Internet Mail Extensions (MIME) encoding algorithmapplication/x-www-form-urlencoded, such as thejava.net.URLEncoderclass that is provided by the Java standard library. You can encode spaces based on the encoding rule for the Java standard library, and then replace the plus sign (+) in the encoded string with%20, the asterisk (*) with%2A, and the tilde (~) with%7E. You can use the followingpercentEncodemethod to implement the algorithm:private static final String ENCODING = "UTF-8"; private static String percentEncode(String value) throws UnsupportedEncodingException { return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null; } - Connect the encoded parameter names and values by using equal signs (=).
- Sort the connected parameter name and value pairs in the order specified in Step
i. Then, connect the pairs with ampersands (&) to construct the canonicalized query string.
- Specify parameters in the request, including all common and operation-specific parameters,
in alphabetical order. The Signature parameter is excluded from the request.
- Encode the canonicalized query string to a signature to sign.
Use the following rules and
percentEncodeto encode the canonicalized query string constructed in Step 1 in this section.StringToSign= HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)- HTTPMethod: the HTTP method, such as GET, to send the request.
- percentEncode("/"): the value obtained after the forward slash (
/) is encoded based on UTF-8 and RFC 3986. The value is %2F. - percentEncode(CanonicalizedQueryString): the string obtained after the canonicalized query string is encoded based on UTF-8 and RFC 3986.
Step 2: Calculate the signature to sign
- Calculate the HMAC value of the signature to sign (the StringToSign parameter) based
on RFC 2104.
Note Use the SHA1 algorithm to calculate the HMAC value. Your AccessKey secret followed by an ampersand (
&) is used as the key for the HMAC calculation. The ASCII value of an ampersand is 38. - Encode the HMAC value as a string by following Base64 encoding rules. Then, you can obtain the signature.
- Add the signature to the request as the value of the Signature parameter.
Note The final signature that you want to send in the request must be URL encoded based on RFC 3986.
Examples
In the following example, the DescribeDesktops operation is used. If the AccessKey ID is testid and AccessKey secret is testsecret, the following example shows the request URL before you sign a signature.
https://ecd.cn-hangzhou.aliyuncs.com?Timestamp=2020-10-23T12%3A46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeDesktops&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2020-09-30&SignatureVersion=1.0Use the preceding URL to construct the signature string to sign by following the preceding
rules, and then use testsecret& as the key. The calculated signature is:
OLeaidS1JvxuMvnyHOwuJ+uX5qY=Add the signature string to the request as the value of the Signature parameter, and URL encode the request based on RFC 3986. The following URL is returned:
https://ecd.cn-hangzhou.aliyuncs.com?SignatureVersion=1.0&Action=DescribeDesktops&Format=XML&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82fd6cf&Version=2020-09-30&AccessKeyId=testid&Signature=OLeaidS1JvxuMvnyHOwuJ+uX5qY%3D&SignatureMethod=HMAC-SHA1&Timestamp=2020-10-23T12%3A46%3A24Z